[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Help request for authentication with certicates
[Thread Prev] | [Thread Next]
- Subject: Re: Help request for authentication with certicates
- From: Marco <bna.marco@xxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Thu, 28 Oct 2021 09:12:08 +0200
- To: libssh@xxxxxxxxxx
Hi.
You are right. Libssh does not scan automatically for certificate or public
key.
While OpenSSH does it (or I can force certicate file using "-o
CertificateFile" if I remember correctly), with libssh I do this:
<code>
#include <cstdlib>
#include <cstdio>
#include <iostream>
#include <iomanip>
#include <libssh/libssh.h>
#include <libssh/libsshpp.hpp>
int main(int argc, char* argv[]) {
ssh::Session mySession;
int port = 22;
int verbosity = SSH_LOG_TRACE;
try {
mySession.setOption(ssh_options_e::SSH_OPTIONS_HOST, "10.10.70.2");
mySession.setOption(ssh_options_e::SSH_OPTIONS_PORT, &port);
mySession.setOption(ssh_options_e::SSH_OPTIONS_LOG_VERBOSITY,
&verbosity);
mySession.setOption(ssh_options_e::SSH_OPTIONS_USER, "root");
mySession.connect();
ssh_key certKey;
if (ssh_pki_import_cert_file("myFile-cert.pub", &certKey) ==
SSH_AUTH_SUCCESS) {
if (mySession.userauthTryPublickey(certKey) == SSH_OK) {
std::cout << "PUB IS OK --> PROVIDE PRIV" << std::endl;
ssh_key privKey;
if (ssh_pki_import_privkey_file("myFile", "mypassword", NULL,
NULL, &privKey) == SSH_OK) {
std::cout << "PRIV KEY OK" << std::endl;
int res = mySession.userauthPublickey(privKey);
if (res == SSH_AUTH_SUCCESS) {
std::cout << "Authenticated" << std::endl;
} else {
std::cout << "RES = " << res << std::endl;
std::cout << "!!!!! AUTH - " <<
ssh_get_error_code(mySession.getCSession()) << ": " <<
ssh_get_error(mySession.getCSession()) << std::endl;
}
mySession.disconnect();
ssh_key_free(certKey);
ssh_key_free(privKey);
} else {
std::cout << "!!!!! LOAD PRIV - " <<
ssh_get_error_code(mySession.getCSession()) << ": "
<<
ssh_get_error(mySession.getCSession()) << std::endl;
}
} else {
std::cout << "!!!!! TRY PUB - " <<
ssh_get_error_code(mySession.getCSession()) << ": " <<
ssh_get_error(mySession.getCSession()) << std::endl;
}
} else {
std::cout << "!!!!! IMPORT CERT - " <<
ssh_get_error_code(mySession.getCSession()) << ": " <<
ssh_get_error(mySession.getCSession()) << std::endl;
}
} catch (ssh::SshException& sshExc) {
std::cout << "!!!!! EXC: " << sshExc.getCode() << ": " <<
sshExc.getError() << std::endl;
}
return EXIT_SUCCESS;
}
</code>
<code>
[2021/10/28 09:08:42.447359, 3] ssh_config_parse_file: Reading
configuration data from /etc/ssh/ssh_config
[2021/10/28 09:08:42.449523, 2] ssh_config_parse_line: Unapplicable
option: SendEnv, line: 50
[2021/10/28 09:08:42.449664, 1] ssh_config_parse_line: Unsupported option:
HashKnownHosts, line: 51
[2021/10/28 09:08:42.449691, 2] ssh_connect: libssh 0.9.3 (c) 2003-2019
Aris Adamantiadis, Andreas Schneider and libssh contributors. Distributed
under the LGPL, please refer to COPYING file for information about your
rights, using threading threads_pthread
[2021/10/28 09:08:42.449702, 3] getai: host 10.10.70.2 matches an IP
address
[2021/10/28 09:08:42.449970, 2] ssh_socket_connect: Nonblocking connection
socket: 3
[2021/10/28 09:08:42.450030, 2] ssh_connect: Socket connecting, now
waiting for the callbacks to work
[2021/10/28 09:08:42.450044, 3] ssh_connect: Actual timeout : 10000
[2021/10/28 09:08:42.453983, 4] ssh_socket_pollcallback: Poll callback on
socket 3 (POLLOUT ), out buffer 0
[2021/10/28 09:08:42.454099, 3] ssh_socket_pollcallback: Received POLLOUT
in connecting state
[2021/10/28 09:08:42.454123, 1] socket_callback_connected: Socket
connection callback: 1 (0)
[2021/10/28 09:08:42.454330, 3] ssh_socket_unbuffered_write: Enabling
POLLOUT for socket
[2021/10/28 09:08:42.454391, 4] ssh_socket_pollcallback: Poll callback on
socket 3 (POLLOUT ), out buffer 0
[2021/10/28 09:08:42.508991, 4] ssh_socket_pollcallback: Poll callback on
socket 3 (POLLIN ), out buffer 0
[2021/10/28 09:08:42.509092, 3] callback_receive_banner: Received banner:
SSH-2.0-OpenSSH_8.2
[2021/10/28 09:08:42.509110, 2] ssh_client_connection_callback: SSH server
banner: SSH-2.0-OpenSSH_8.2
[2021/10/28 09:08:42.509121, 2] ssh_analyze_banner: Analyzing banner:
SSH-2.0-OpenSSH_8.2
[2021/10/28 09:08:42.509142, 2] ssh_analyze_banner: We are talking to an
OpenSSH client version: 8.2 (80200)
[2021/10/28 09:08:42.509334, 3] ssh_client_select_hostkeys: Order of
wanted host keys:
"ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss"
[2021/10/28 09:08:42.512701, 3] ssh_client_select_hostkeys: Algorithms
found in known_hosts files: "ecdsa-sha2-nistp256"
[2021/10/28 09:08:42.512792, 3] ssh_client_select_hostkeys: Changing host
key method to
"ecdsa-sha2-nistp256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss"
[2021/10/28 09:08:42.512851, 4] ssh_list_kex: kex algos: curve25519-sha256,
curve25519-sha256@xxxxxxxxxx
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
[2021/10/28 09:08:42.512877, 4] ssh_list_kex: server host key algo:
ecdsa-sha2-nistp256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
[2021/10/28 09:08:42.512889, 4] ssh_list_kex: encryption client->server:
aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx
,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
[2021/10/28 09:08:42.512929, 4] ssh_list_kex: encryption server->client:
aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx
,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
[2021/10/28 09:08:42.512942, 4] ssh_list_kex: mac algo client->server:
hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
hmac-sha1-etm@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[2021/10/28 09:08:42.512952, 4] ssh_list_kex: mac algo server->client:
hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
hmac-sha1-etm@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[2021/10/28 09:08:42.512961, 4] ssh_list_kex: compression algo
client->server: none
[2021/10/28 09:08:42.512970, 4] ssh_list_kex: compression algo
server->client: none
[2021/10/28 09:08:42.513010, 4] ssh_list_kex: languages client->server:
[2021/10/28 09:08:42.513023, 4] ssh_list_kex: languages server->client:
[2021/10/28 09:08:42.513145, 3] ssh_socket_unbuffered_write: Enabling
POLLOUT for socket
[2021/10/28 09:08:42.513199, 3] packet_send2: packet: wrote [type=20,
len=940, padding_size=4, comp=935, payload=935]
[2021/10/28 09:08:42.513212, 3] ssh_send_kex: SSH_MSG_KEXINIT sent
[2021/10/28 09:08:42.513229, 4] ssh_socket_pollcallback: Poll callback on
socket 3 (POLLOUT ), out buffer 0
[2021/10/28 09:08:42.513238, 4] ssh_socket_pollcallback: sending control
flow event
[2021/10/28 09:08:42.513248, 4] ssh_packet_socket_controlflow_callback:
sending channel_write_wontblock callback
[2021/10/28 09:08:42.514538, 4] ssh_socket_pollcallback: Poll callback on
socket 3 (POLLIN ), out buffer 0
[2021/10/28 09:08:42.514643, 3] ssh_packet_socket_callback: packet: read
type 20 [len=996,padding=9,comp=986,payload=986]
[2021/10/28 09:08:42.514663, 3] ssh_packet_process: Dispatching handler
for packet type 20
[2021/10/28 09:08:42.514684, 4] ssh_list_kex: kex algos: curve25519-sha256,
curve25519-sha256@xxxxxxxxxx
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
[2021/10/28 09:08:42.514761, 4] ssh_list_kex: server host key algo:
ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx
[2021/10/28 09:08:42.514784, 4] ssh_list_kex: encryption client->server:
chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
[2021/10/28 09:08:42.514800, 4] ssh_list_kex: encryption server->client:
chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
[2021/10/28 09:08:42.514817, 4] ssh_list_kex: mac algo client->server:
umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,
hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[2021/10/28 09:08:42.514874, 4] ssh_list_kex: mac algo server->client:
umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,
hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[2021/10/28 09:08:42.514893, 4] ssh_list_kex: compression algo
client->server: none
[2021/10/28 09:08:42.514900, 4] ssh_list_kex: compression algo
server->client: none
[2021/10/28 09:08:42.514909, 4] ssh_list_kex: languages client->server:
[2021/10/28 09:08:42.514973, 4] ssh_list_kex: languages server->client:
[2021/10/28 09:08:42.515048, 2] ssh_kex_select_methods: Negotiated
curve25519-sha256,ssh-ed25519,aes256-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,
hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,none,none,,
[2021/10/28 09:08:42.515917, 3] ssh_socket_unbuffered_write: Enabling
POLLOUT for socket
[2021/10/28 09:08:42.516506, 3] packet_send2: packet: wrote [type=30,
len=44, padding_size=6, comp=37, payload=37]
[2021/10/28 09:08:42.516551, 4] ssh_socket_pollcallback: Poll callback on
socket 3 (POLLOUT ), out buffer 0
[2021/10/28 09:08:42.516652, 4] ssh_socket_pollcallback: sending control
flow event
[2021/10/28 09:08:42.516671, 4] ssh_packet_socket_controlflow_callback:
sending channel_write_wontblock callback
[2021/10/28 09:08:42.573762, 4] ssh_socket_pollcallback: Poll callback on
socket 3 (POLLIN ), out buffer 0
[2021/10/28 09:08:42.573901, 3] ssh_packet_socket_callback: packet: read
type 31 [len=188,padding=8,comp=179,payload=179]
[2021/10/28 09:08:42.573927, 3] ssh_packet_process: Dispatching handler
for packet type 31
[2021/10/28 09:08:42.574199, 3] ssh_socket_unbuffered_write: Enabling
POLLOUT for socket
[2021/10/28 09:08:42.574264, 3] packet_send2: packet: wrote [type=21,
len=12, padding_size=10, comp=1, payload=1]
[2021/10/28 09:08:42.574282, 4] ssh_packet_set_newkeys: called, direction
= OUT
[2021/10/28 09:08:42.574487, 3] crypt_set_algorithms2: Set output
algorithm to aes256-gcm@xxxxxxxxxxx
[2021/10/28 09:08:42.574561, 3] crypt_set_algorithms2: Set HMAC output
algorithm to aead-gcm
[2021/10/28 09:08:42.574580, 3] crypt_set_algorithms2: Set input algorithm
to aes256-gcm@xxxxxxxxxxx
[2021/10/28 09:08:42.574593, 3] crypt_set_algorithms2: Set HMAC input
algorithm to aead-gcm
[2021/10/28 09:08:42.574620, 2] ssh_init_rekey_state: Set rekey after
4294967296 blocks
[2021/10/28 09:08:42.574687, 2] ssh_init_rekey_state: Set rekey after
4294967296 blocks
[2021/10/28 09:08:42.574714, 2] ssh_packet_client_curve25519_reply:
SSH_MSG_NEWKEYS sent
[2021/10/28 09:08:42.574728, 3] ssh_packet_socket_callback: Processing 244
bytes left in socket buffer
[2021/10/28 09:08:42.574741, 3] ssh_packet_socket_callback: packet: read
type 21 [len=12,padding=10,comp=1,payload=1]
[2021/10/28 09:08:42.574755, 3] ssh_packet_process: Dispatching handler
for packet type 21
[2021/10/28 09:08:42.574764, 2] ssh_packet_newkeys: Received
SSH_MSG_NEWKEYS
[2021/10/28 09:08:42.574781, 4] ssh_pki_signature_verify: Going to verify
a ssh-ed25519 type signature
[2021/10/28 09:08:42.575037, 4] pki_verify_data_signature: Signature valid
[2021/10/28 09:08:42.575092, 2] ssh_packet_newkeys: Signature verified and
valid
[2021/10/28 09:08:42.575104, 4] ssh_packet_set_newkeys: called, direction
= IN
[2021/10/28 09:08:42.575114, 3] ssh_packet_socket_callback: Processing 228
bytes left in socket buffer
[2021/10/28 09:08:42.575129, 3] ssh_packet_socket_callback: packet: read
type 7 [len=208,padding=4,comp=203,payload=203]
[2021/10/28 09:08:42.575140, 3] ssh_packet_process: Dispatching handler
for packet type 7
[2021/10/28 09:08:42.575149, 3] ssh_packet_ext_info: Received
SSH_MSG_EXT_INFO
[2021/10/28 09:08:42.575158, 3] ssh_packet_ext_info: Follows 1 extensions
[2021/10/28 09:08:42.575168, 3] ssh_packet_ext_info: Extension:
server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@xxxxxxxxxxx
,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ecdsa-sha2-nistp256@xxxxxxxxxxx>
[2021/10/28 09:08:42.575212, 3] ssh_connect: current state : 7
[2021/10/28 09:08:42.577743, 3] ssh_key_algorithm_allowed: Checking
ssh-ed25519-cert-v01@xxxxxxxxxxx with list <ssh-ed25519-cert-v01@xxxxxxxxxxx
,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,
ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,
ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,
rsa-sha2-256-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,
ssh-dss-cert-v01@xxxxxxxxxxx
,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
[2021/10/28 09:08:42.577862, 3] packet_send2: packet: wrote [type=5,
len=32, padding_size=14, comp=17, payload=17]
[2021/10/28 09:08:42.577883, 3] ssh_service_request: Sent
SSH_MSG_SERVICE_REQUEST (service ssh-userauth)
[2021/10/28 09:08:42.577902, 4] ssh_socket_pollcallback: Poll callback on
socket 3 (POLLOUT ), out buffer 52
[2021/10/28 09:08:42.578031, 3] ssh_socket_unbuffered_write: Enabling
POLLOUT for socket
[2021/10/28 09:08:42.578102, 4] ssh_socket_pollcallback: Poll callback on
socket 3 (POLLOUT ), out buffer 0
[2021/10/28 09:08:42.578117, 4] ssh_socket_pollcallback: sending control
flow event
[2021/10/28 09:08:42.578126, 4] ssh_packet_socket_controlflow_callback:
sending channel_write_wontblock callback
[2021/10/28 09:08:42.579018, 4] ssh_socket_pollcallback: Poll callback on
socket 3 (POLLIN ), out buffer 0
[2021/10/28 09:08:42.579115, 3] ssh_packet_socket_callback: packet: read
type 6 [len=32,padding=14,comp=17,payload=17]
[2021/10/28 09:08:42.579138, 3] ssh_packet_process: Dispatching handler
for packet type 6
[2021/10/28 09:08:42.579152, 3] ssh_packet_service_accept: Received
SSH_MSG_SERVICE_ACCEPT
[2021/10/28 09:08:42.579283, 3] ssh_socket_unbuffered_write: Enabling
POLLOUT for socket
[2021/10/28 09:08:42.579353, 3] packet_send2: packet: wrote [type=50,
len=528, padding_size=6, comp=521, payload=521]
[2021/10/28 09:08:42.579376, 4] ssh_socket_pollcallback: Poll callback on
socket 3 (POLLOUT ), out buffer 0
[2021/10/28 09:08:42.579389, 4] ssh_socket_pollcallback: sending control
flow event
[2021/10/28 09:08:42.579402, 4] ssh_packet_socket_controlflow_callback:
sending channel_write_wontblock callback
[2021/10/28 09:08:42.656812, 4] ssh_socket_pollcallback: Poll callback on
socket 3 (POLLIN ), out buffer 0
[2021/10/28 09:08:42.656908, 3] ssh_packet_socket_callback: packet: read
type 60 [len=496,padding=14,comp=481,payload=481]
[2021/10/28 09:08:42.656928, 3] ssh_packet_process: Dispatching handler
for packet type 60
[2021/10/28 09:08:42.656941, 4] ssh_packet_userauth_pk_ok: Received
SSH_USERAUTH_PK_OK/INFO_REQUEST/GSSAPI_RESPONSE
[2021/10/28 09:08:42.656992, 4] ssh_packet_userauth_pk_ok: Assuming
SSH_USERAUTH_PK_OK
PUB IS OK --> PROVIDE PRIV
[2021/10/28 09:08:42.659075, 2] ssh_pki_import_privkey_base64: Trying to
decode privkey passphrase=true
[2021/10/28 09:08:42.659222, 2] ssh_pki_openssh_import: Opening OpenSSH
private key: ciphername: aes256-ctr, kdf: bcrypt, nkeys: 1
[2021/10/28 09:08:42.659301, 3] pki_private_key_decrypt: Decryption: 32
key, 16 IV, 16 rounds, 16 bytes salt
PRIV KEY OK
[2021/10/28 09:08:42.825385, 3] ssh_key_algorithm_allowed: Checking
ssh-ed25519 with list <ssh-ed25519-cert-v01@xxxxxxxxxxx,
ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,
ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,
ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,
rsa-sha2-256-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,
ssh-dss-cert-v01@xxxxxxxxxxx
,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
[2021/10/28 09:08:42.825710, 3] ssh_socket_unbuffered_write: Enabling
POLLOUT for socket
[2021/10/28 09:08:42.825779, 3] packet_send2: packet: wrote [type=50,
len=208, padding_size=9, comp=198, payload=198]
[2021/10/28 09:08:42.825803, 4] ssh_socket_pollcallback: Poll callback on
socket 3 (POLLOUT ), out buffer 0
[2021/10/28 09:08:42.825819, 4] ssh_socket_pollcallback: sending control
flow event
[2021/10/28 09:08:42.825835, 4] ssh_packet_socket_controlflow_callback:
sending channel_write_wontblock callback
[2021/10/28 09:08:42.832362, 4] ssh_socket_pollcallback: Poll callback on
socket 3 (POLLIN ), out buffer 0
[2021/10/28 09:08:42.832464, 3] ssh_packet_socket_callback: packet: read
type 51 [len=48,padding=13,comp=34,payload=34]
[2021/10/28 09:08:42.832482, 3] ssh_packet_process: Dispatching handler
for packet type 51
[2021/10/28 09:08:42.832528, 1] ssh_packet_userauth_failure: Access denied
for 'publickey'. Authentication that can continue:
publickey,password,hostbased
[2021/10/28 09:08:42.832576, 2] ssh_packet_userauth_failure: Access denied
for 'publickey'. Authentication that can continue:
publickey,password,hostbased
RES = 1
!!!!! AUTH - 1: Access denied for 'publickey'. Authentication that can
continue: publickey,password,hostbased
</code>
As you can see I try to load certificate with public key and then I provide
private key. What I've got is
!!!!! AUTH - 1: Access denied for 'publickey'. Authentication that can
continue: publickey,password,hostbased
At server side in /var/log/auth.log there is nothing to see other then
disconnection.... I'll try to set debug to higher level.
Some suggestion about the authentication error?
Marco Bna'
Il Mer 27 Ott 2021, 20:01 Jakub Jelen <jjelen@xxxxxxxxxx> ha scritto:
> On 10/27/21 16:26, Marco wrote:
> > Hi all and thanks for attention.
> >
> > I have some difficulties in authentication using certificate from C
> > application using ssh to a server correctly configured, I think.
> >
> > I've generate a private and public key and signed the public with the
> > certification authority private key to have -cert.pub with desired
> > principals (principals are in /etc/ssh/auth_principals/%u at server side)
> >
> > The server is configured to recognize the CA and has authentication
> > principals
> >
> > Using ssh from shell I have no issue.
> >
> > With c application following tutorial and after setting session with
> > username, ip, port, I try public key using cert file,it succeed, then I
> > try to authenticate with private key but I have Access denied.
>
> AFAIK the OpenSSH (ssh from shell) automatically loads the existing
> -cert.pub files when it founds them alongside of the private and public
> key files. I am not sure if this functionality is implemented in libssh,
> but from what you describe, it looks like the case.
>
> The certificate and public key authentication are both using the pubkey
> authentication method, but they are using different "key type" (or
> mechanism -- for example ssh-ed25519 or
> ssh-ed25519-cert-v01@xxxxxxxxxxx, which will use different content of
> the authentication packets (you should be able to see this difference in
> debug mode of both server and clients).
>
> I think this works as expected from the protocol point of view. If you
> think libssh should also try to find matching certificates and use them
> for the authentication, contributions are welcomed:
>
> https://gitlab.com/libssh/libssh-mirror
>
> Hope it helps,
> --
> Jakub Jelen
> Crypto Team, Security Engineering
> Red Hat, Inc.
>
>
>
| Re: Help request for authentication with certicates | Marco <bna.marco@xxxxxxxxx> |
| Help request for authentication with certicates | Marco <bna.marco@xxxxxxxxx> |
| Re: Help request for authentication with certicates | Jakub Jelen <jjelen@xxxxxxxxxx> |